Submission Details
Severity:
[H-2] call :: TwentyOne.sol mixes up the player(msg.sender) as the dealer
Summary
function call() public {
require(
playersDeck[msg.sender].playersCards.length > 0,
"Game not started"
);
uint256 playerHand = playersHand(msg.sender);
// Calculate the dealer's threshold for stopping (between 17 and 21)
uint256 standThreshold = (uint256(
keccak256(
abi.encodePacked(block.timestamp, msg.sender, block.prevrandao)
)
) % 5) + 17;
// Dealer draws cards until their hand reaches or exceeds the threshold
@>while (dealersHand(msg.sender) < standThreshold) {
uint256 newCard = drawCard(msg.sender);
addCardForDealer(msg.sender, newCard);
}
@>uint256 dealerHand = dealersHand(msg.sender);
// Determine the winner
if (dealerHand > 21) {
emit PlayerWonTheGame(
"Dealer went bust, players winning hand: ",
playerHand
);
endGame(msg.sender, true);
} else if (playerHand > dealerHand) {
emit PlayerWonTheGame(
"Dealer's hand is lower, players winning hand: ",
playerHand
);
endGame(msg.sender, true);
} else {
emit PlayerLostTheGame(
"Dealer's hand is higher, dealers winning hand: ",
dealerHand
);
endGame(msg.sender, false);
}
}
The function call :: TwentyOne.sol calculates the dealersHand with the parameter msg.sender. This function is to be called by the player and not the dealer considering the require statement require(````playersDeck[msg.sender].playersCards.length > 0,````"Game not started"````);. Using msg.sender as player parameter to calculate the dealerHand will always cause a reverting error when the function is called
Impact
The function always revert due to msg.sender being used in dealersHand
Tools Used
Manual Review
Recommendations
The dealer should definitely be a separate player
Rewards breakdown
nSLOC
147This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.